The CJEU invalidates the Privacy Shield

The Court of Justice of the European Union invalidates decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield

On the other hand, it considers that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to subcontractors established in third countries is valid.

In his communique, the Court of Justice of the European Union recalls that the general data protection regulation provides that the transfer of such data to a third country can, in principle, only take place if the third country in question ensures an adequate level of protection for this data.

According to the GDPR, the Commission may find that a third country ensures, due to its domestic legislation or international commitments, an adequate level of protection.

In the absence of such an adequacy decision, such a transfer can only be carried out if the exporter of personal data, established in the Union, provides appropriate guarantees, which may in particular result from standard data protection clauses adopted by the Commission, and if the persons concerned have enforceable rights and effective remedies.

In addition, the RGPD establishes, in a precise manner, the conditions under which such a transfer can take place in the absence of an adequacy decision or appropriate guarantees.

“The Court has clarified for the second time that a conflict exists between European privacy law and American surveillance law. Since the EU won't change its fundamental rights to please the NSA, the only way to overcome this conflict is for the United States to introduce privacy protections for everyone, including foreigners. The reform of surveillance laws is thus becoming crucial for the commercial interests of Silicon Valley.”

Concretely, this decision of the CJEU implies that the personal data of Europeans can no longer be transferred or processed in servers hosted on American soil using the Privacy Shield.

For European organizations concerned about their compliance with the IT and Freedoms legal framework, it is therefore appropriate to initiate a new project: the review of transfers outside the EU.

In fact, each Non-EU transfer declared in the register of processing activities using this adequacy mechanism must now favour the use of Standard Contractual Clauses to ensure the supervision of said transfer.

Are you an Adequacy user? Good news: you can directly extract the “list of transfers outside the EU by treatment” in order to obtain visibility on the work to be carried out.